[PATCH nf] netfilter: nf_tables: restore too deep jumpstack validation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Otherwise this breaks nested jump to chain to reach the maximum depth.

  #!/bin/bash
  nft add table ip filter
  nft add chain ip filter input { type filter hook input priority 0\; }
  for ((i=0;i<20;i++)); do
     nft add chain ip filter a$i
  done
  nft add rule ip filter input jump a1
  for ((i=0;i<10;i++)); do
     nft add rule ip filter a$i jump a$((i+1))
  done
  for ((i=11;i<19;i++)); do
     nft add rule ip filter a$i jump a$((i+1))
  done

  nft add rule ip filter a10 jump a11

This patch is a partial revert.

Fixes: 26b2f552525c ("netfilter: nf_tables: fix jumpstack depth validation")
Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
---
 include/net/netfilter/nf_tables.h | 2 ++
 net/netfilter/nf_tables_api.c     | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index dc417ef0a0c5..d47c2426ebb3 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -867,6 +867,7 @@ enum nft_chain_flags {
  *	@table: table that this chain belongs to
  *	@handle: chain handle
  *	@use: number of jump references to this chain
+ *	@level: length of longest path to this chain
  *	@flags: bitmask of enum nft_chain_flags
  *	@name: name of the chain
  */
@@ -879,6 +880,7 @@ struct nft_chain {
 	struct nft_table		*table;
 	u64				handle;
 	u32				use;
+	u16				level;
 	u8				flags:6,
 					genmask:2;
 	char				*name;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 67cdd5c4f4f5..063004fab9de 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -6940,6 +6940,13 @@ int nft_validate_register_store(const struct nft_ctx *ctx,
 			err = nf_tables_check_loops(ctx, data->verdict.chain);
 			if (err < 0)
 				return err;
+
+			if (ctx->chain->level + 1 >
+			    data->verdict.chain->level) {
+				if (ctx->chain->level + 1 == NFT_JUMP_STACK_SIZE)
+					return -EMLINK;
+				data->verdict.chain->level = ctx->chain->level + 1;
+			}
 		}
 
 		return 0;
-- 
2.11.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux